March 16, 2016 10:00 am

RC4 will no longer be supported in Microsoft Edge and IE11 [Updated]

In September 2015, Microsoft announced the end-of-support of the RC4 cipher in Microsoft Edge and Internet Explorer 11 in early 2016. [Updated] We initially announced plans to release this change in April 2016. Based on customer feedback, we now plan to delay disabling the RC4 cipher. We encourage customers to complete upgrades away from RC4 soon, as a forthcoming update will disable RC4 by default and RC4 will no longer be used for TLS fallback negotiations.

There is consensus across the industry that RC4 is no longer cryptographically secure. With this change, Microsoft Edge and IE11 are aligned with the most recent versions of Google Chrome and Mozilla Firefox.

What is RC4?

RC4 is a stream cipher that was first described in 1987, and has been widely supported across web browsers and online services. Modern attacks have demonstrated that RC4 can be broken within hours or days. The typical attacks on RC4 exploit biases in the RC4 keystream to recover repeatedly encrypted plaintexts. In February 2015, these new attacks prompted the Internet Engineering Task Force to prohibit the use of RC4 with TLS.

Microsoft Edge and Internet Explorer 11 only utilize RC4 during a fallback from TLS 1.2 or 1.1 to TLS 1.0. A fallback to TLS 1.0 with RC4 is most often the result of an innocent error, but this is indistinguishable from a man-in-the-middle attack. For this reason, RC4 will be entirely disabled by default for Microsoft Edge and Internet Explorer users on Windows 7, Windows 8.1 and Windows 10 starting April 12th.

How can I prepare?

We expect that most users will not notice this change. The percentage of insecure web services that support only RC4 is known to be small and shrinking.

If your web service relies on RC4, you will need to take action. Since 2013, Microsoft has recommended that customers enable TLS 1.2 in their services and remove support for RC4. For additional details, please see Security Advisory 2868725.

– Brent Mills, Senior Program Manager, Windows Experience

Updated April 1, 2016 4:54 pm

Join the conversation

  1. Hi, “disabled by default” implies that it can be enabled somehow. Can you comment if that will be possible and the details around doing that.

  2. Dear Microsoft – please add the ability in Edge to see what type of encrypted connection is being used on the connection. In IE you can see this by right clicking on the page and go to Properties. A user in Edge today appears to have no way of knowing that a page was using RC4.